Back in April, the Harvard Business Review ran an article that made the argument that “Good Data Won’t Guarantee Good Decisions.” The good data that the article talked about was Big Data. And what I’d add is that it certainly won’t guarantee good security and compliance either.
The crux of the article was that organizations don’t have enough of the right sort of analysts to make good use of the potential insights that Big Data offers up. There weren’t enough cynics in the group, you might say:
We evaluated 5,000 employees at 22 global companies and sorted them into three groups. “Unquestioning empiricists” trust analysis over judgment, and “visceral decision makers” go exclusively with their gut. “Informed skeptics”—the employees best equipped to make good decisions—effectively balance judgment and analysis, possess strong analytic skills, and listen to others’ opinions but are willing to dissent. They’re the kind of data-savvy workers every company should try to cultivate. However, we found that only 38% of employees, and 50% of senior managers, fall into this group.
There’s the risk, in other words, of a rush to churn out “results” from Big Data without our having put in place enough people qualified to turn out results that actually mean something.
Additionally, enterprises are eager to see what Big Data has to offer their organizations, meaning that they are rushing data into tools that are arguably not ready for prime time, and particularly not from a security perspective. One of the most popular tools for this kind of experimentation, of course, is the open-source Hadoop platform.
As was noted in a recent InformationWeek article:
Hadoop “really isn’t designed to be a secure processing environment, which is a little scary considering how many people are trying to use it,” said Robert Bird, president, CTO, and co-founder of Red Lambda.
There’s a real opportunity here, however. It involves rewriting parts of Hadoop (and other big data tools), but that will have to happen in any case. While we’re rewriting, let’s build security measures into the elements that developers use when building specific applications. In other words, let’s try as much as possible to harden the framework such that analysts within organizations—people already struggling with the expertise required to use the tools to provide actionable insights—essentially have to go out of their way to create insecure data sets. We should do this even if it means that corporate security departments have to hire developers and do some of the heavy lifting: security should be offering tools (api’s, prebuilt modules) to match the pace of agile business and Big Data is a perfect opportunity to start doing so.
It sounds obvious, in a way, but it’s not generally what happens. Big Data represents an important opportunity to get it right as we migrate the tools into the enterprise. There is enormous complexity lurking here – getting security right for Big Data is a daunting challenge—but that’s the conversation we need to be having when we gather at meetings such as E2 Innovate and we talk about security and compliance.
Robert Richardson (@cryptorobert) is former editorial director at Black Hat, a former director of the Computer Security Institute, and frequently talks security at his blog ModeNomad.com.
TAGS analytics Big Data Big Data Tools E2 E2 Conference Hadoop Information Security Innovate Security and Compliance
Mail (hidden) (required)
Notify me of followup comments via e-mail